Windows Server 2008 R2 Thread, Folder Permissions Question in Technical; Hi,
Our ICT Teachers want to have full access to students work areas so that they can go in and ...
30th January 2013, 12:22 PM #1
Folder Permissions Question
Our ICT Teachers want to have full access to students work areas so that they can go in and print work off / mark it. I have created a security group and added the teachers in it. I then added them to the 'homedrive' folder modify full control which contains all the students user folders in. When applying it only applies to a small amount of users and most deny access to the teachers when they try to access the files.
When checking individual folders, the group is not there. What click box do i need to check so that all the security permissions in the sub folders are inherited without denying access to the students too?
Im sure its simple, my mind has just gone blank and last time i tried i took ownership of all the folders by accident and no-one could access anything!
When checking sub folders, the permissions and group have not been inherited.
Last edited by Darylrese; 30th January 2013 at 12:24 PM.
30th January 2013, 12:33 PM #2
are the folders underneath the top level home drives folder set to inherit from parent?
forcing the permissions to replicated to that folder and child objects is under the advance tab in security.
still getting used to the slightly different UI layout for 2k8r2 so this might be slightly incorrect...
Last edited by SHimmer45; 30th January 2013 at 12:34 PM.
30th January 2013, 12:58 PM #3
The setup is E:\Home drives then in there is all the students folders, inside them is a My documents folder. Theres no inherit permissions on those, problem is i cant find a way of doing it in bulk.
We basically need all the 'My Documents' folders to inherit from the parent folder but also still include the exisiting permissions. For example on this account OAKill is specified as a user in the list, if i force child folders to have parent permissions (from the homedrivers folder), this im guessing will take him off the security list therefore denying him access to his work area?
Last edited by Darylrese; 30th January 2013 at 12:59 PM.
30th January 2013, 02:30 PM #4
as you havent got inherited permissions running through your folder tree you will need to add them to each folder is an option (long and painful)
are you manually creating this home directory folders?
if you check the inherit permissions box the permissions you have defined already "shouldnt" be changed
id create a dummy folder structure and see how it behaves and if you does what you need it to do.
30th January 2013, 02:45 PM #5
Oh man not looking forward to that!!
When a new student starts we manually enter a document path in AD in their profile and it creates it for us when they log in.
30th January 2013, 02:55 PM #6
id still suggest doing a little test as you might not need to manually re-add anything.
30th January 2013, 03:11 PM #7
Sound like you either enter it in manually or use a script in combination with cacls or icacls. BTW you can probably get away with just read access.
30th January 2013, 09:59 PM #8
- Rep Power
for /D %a in ("E:\Homedrives\*") do icacls "%~a\My Documents" /grant:r "MCA\ICT Teachers File Access":(OI)(CI)(IO)(M) /C /Q
Last edited by jklight; 30th January 2013 at 10:08 PM.
Reason: code fix
31st January 2013, 08:19 AM #9
Thats great thanks, will that script just add permissions to that group on all subfolders?
31st January 2013, 02:02 PM #10
- Rep Power
The (OI)(CI)(IO) means "inherit to subfolders or files" and is needed so that they don't have rights to delete the "My Documents" folder itself.
The (M) means "Modify Rights" as apeo suggests, maybe "(R)" is what they need and not "(M)".
The /grant:r means "Grants specified user access rights. Permissions replace previously granted explicit permissions. Without :r, permissions are added to any previously granted explicit permissions." Experiment with the :r to see if it needed or not.
31st January 2013, 09:29 PM #11
Thanks guys. In the end we created a security group for all students and one for staff needing access, gave them the correct level of access and forced it to replace all child folder permissions from the home drive folder.
Everyone can get in now, they just need to be added to the correct group to get into the work areas when setting up but that not issue. All the folders have the same permissions now.
The only problem i guess is technically everyone has access to each others files as long as they are a member of the group but their documents is redirected so they cant change the path and also they have no way of getting on the server anyway.
I appriciate its not the best way of doing things but the document library for students is forced via GPO so i can't see an issue until we have time to completely change the file structure in the future. They also dont have access to the e drive so unless they manage to get the admin account they cant do anything anyway
Last edited by Darylrese; 31st January 2013 at 09:40 PM.
31st January 2013, 09:42 PM #12
- Rep Power
I would say that that is not what I would recommend. If "technically" everyone has access to each others files then in all reality they *DO* have access to each others files. There are just too many ways to get places. Maybe if all the kids are under 9 or 10 years old but they really do get good at finding holes. When things go wrong, or missing, or stuff just starts showing up how do you know what is going on since permissions say anyone and everyone could be the cause? JMHO
31st January 2013, 09:43 PM #13
I understand i just cant see a better way of doing it without setting permissions one by one or starting again :/
Last edited by Darylrese; 31st January 2013 at 09:45 PM.
31st January 2013, 09:51 PM #14
- Rep Power
Use the ICACLS command that MS provides...
31st January 2013, 09:55 PM #15
not used it before, a little new to this but will look into it, thank-you. Will it reset permissions for the whole structure?
Basically we need teachers security group to have full control over the 'homedrives' folder and then each student full permission to their own folders within that
Ok your right, i can't keep it like this, a shortcut to the folder lets a student in. If all else fails we might have to go into each folder and add the student to their own security tab one by one...there arn't thousands
I need to reset them back to what they were and start again if possible.
Last edited by Darylrese; 31st January 2013 at 10:24 PM.
By WiPPaH in forum Windows Server 2000/2003
Last Post: 9th February 2010, 04:36 PM
By tickmike in forum *nix
Last Post: 12th January 2007, 09:26 PM
By wesleyw in forum Windows
Last Post: 9th January 2007, 08:25 PM
By ajbritton in forum ICT KS3 SATS Tests
Last Post: 18th December 2006, 11:09 AM
Last Post: 12th October 2006, 09:37 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)